A US government bureau set up to conduct “secret” and “top secret” security clearance investigations has turned for help to a private company whose login credentials were used in hack attacks that looted the personal data of 22 million current and former federal employees, US officials said on Friday.
Their confirmation of the hiring of KeyPoint Government Solutions by the new National Background Investigations Bureau (NBIB), a semi-autonomous entity within the US Office of Personnel Management (OPM), came ahead of the bureau’s official opening scheduled for next week. Its creation was spurred, in part, by the same hacks of OPM that have been linked to the credentials of KeyPoint, one of four companies hired by the bureau. The officials asked not to be named when discussing sensitive information.
KeyPoint representatives did not respond to requests for comment sent by email and left on the company CEO’s voice-mail. OPM spokesman Samuel Schumach said the agency has acknowledged in public statements and in congressional testimony that a KeyPoint contractor’s stolen credentials were used by hackers to gain access to government personnel and security investigations records in two major OPM computer breaches.
Both breaches occurred in 2014, but were not discovered until April 2015, according to investigators. Schumach said the agency has taken steps to improve security. “OPM has incorporated enhanced security language into our contracts including KeyPoint Government Solutions (KGS),” he said in a statement.
“Additionally, OPM has implemented several technical controls on our network which include multiple layers of inspection and controlled connection points prior to authorizing contractors such as KGS to connect to our network and systems,” Schumach said. “The combination of the contract language and technical controls has significantly improved OPM’s capability to monitor all of our contractors for compliance with all security requirements and mitigate risk to our systems and data,” Schumach said.
OPM Director Katherine Archuleta resigned in mid-2015 amid scrutiny of the agency’s cyber security practices. US officials have privately blamed China for the hacking. Beijing has denied the allegations, and China’s state news agency has said the breach was carried out by a criminal enterprise.
KeyPoint was one of the four companies hired by the new NBIB to conduct field interviews for security clearance investigations, OPM and officials said earlier in September. One US official familiar with the hiring of KeyPoint said personnel records were hacked in 2014 from KeyPoint and, at some point, its login credentials were stolen. But no evidence proves, the official said, that the KeyPoint credentials used by the OPM hackers were stolen in the 2014 KeyPoint hack.
Earlier this month, OPM said it was awarding four contracts for “investigative fieldwork” to KeyPoint, CACI Premier Technology Inc, SCRA LLC and Securitas Critical Infrastructure Services. OPM said the four companies were the only ones to bid for the investigation contracts.